SP Extension for Delegation Facilitation Details

This page describes an extension handler for version 2 of the Service Provider that provides a callable service by which a client application can request delegated access to a web-based service on behalf of the user logged into the SP.

If you have comments/questions on the information presented here please send them to the developer's mailing list.

Current Thinking

A baseline for this feature would be to offload the parts of the delegation flow that involve the SP's configuration (the private key, the IdP's identity and public key) and the original assertion, which happens to encompass the interactions with the IdP and represents an authenticated request for a delegation token. So logically, the client application could interact with the WSP, pass in the AuthnRequest to this extension, get back a Response, and pass that back to the WSP to complete the login process.

Another possible variant, perhaps in addition to the above, could offload the entire process by offering a stateful HTTP proxy (using libcurl as an HTTP client) that interacts with the WSP on behalf of the client application, on the theory that most web service interacts tend to involve relatively small amounts of data.

In either case, the extension would be accessed via HTTP, and will need more advanced security options to protect itself than IP address checking, perhaps some kind of password-like model with a configured secret or even relying on non-Shibboleth authentication at the web server layer, which would offer a lot of advanced options such as TLS or SP-NEGO.